Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
It's also worth noting that BERserk is one of many such incidents of this coming up in practice: https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/ On Tue, Aug 9, 2016 at 2:13 PM, Tony Arcieriwrote: > On Tue, Aug 9, 2016 at 7:16 AM, Martin Rex wrote: > >> BERserk is an implementation defect, not a crypto weakness. >> > > Hence why I phrased the question the way I did. Per Izu, Shimoyama, and > Takenaka 2006, PKCS#1 v1.5 has sharp edges which implementers must avoid > (of course, the same can be said of BER in BERserk, and it was clearly the > bigger of the two problems). > > Peter Gutmann's response was the sort of thing I was looking for when I > originally asked the question. > > -- > Tony Arcieri > -- Tony Arcieri ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
On Tue, Aug 9, 2016 at 7:16 AM, Martin Rexwrote: > BERserk is an implementation defect, not a crypto weakness. > Hence why I phrased the question the way I did. Per Izu, Shimoyama, and Takenaka 2006, PKCS#1 v1.5 has sharp edges which implementers must avoid (of course, the same can be said of BER in BERserk, and it was clearly the bigger of the two problems). Peter Gutmann's response was the sort of thing I was looking for when I originally asked the question. -- Tony Arcieri ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
[TLS] early IANA code point assignment request for draft-ietf-tls-ecdhe-psk-aead
All, We've received a request for early IANA assignments for the 6 cipher suites listed in https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/. Please respond before August 23rd if you have concerns about early code point assignment for these cipher suites. J ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
Tony Arcieri wrote: [ Charset UTF-8 unsupported, converting... ] > On Monday, August 8, 2016, Martin Rexwrote: > > > > The urban myth about the advantages of the RSA-PSS signature scheme > > over PKCS#1 v1.5 keep coming up. > > Do you think we'll see real-world MitM attacks against RSA-PSS in TLS > similar to those we've seen with PKCS#1v1.5 signature forgery, such as > BERserk? BERserk is an implementation defect, not a crypto weakness. -Martin ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls